git.ipfire.org Git - thirdparty/linux.git/commit

author	Erni Sri Satya Vennela <ernis@linux.microsoft.com>
	Fri, 6 Mar 2026 21:12:06 +0000 (13:12 -0800)
committer	Paolo Abeni <pabeni@redhat.com>
	Tue, 10 Mar 2026 12:39:51 +0000 (13:39 +0100)
commit	89fe91c65992a37863241e35aec151210efc53ce
tree	a9c672afb386793a033ce310bbb7a7ed643e5d10	tree \| snapshot
parent	46097d011f77f5758fb47b7059b4f1f2e7403940	commit \| diff

net: mana: hardening: Validate doorbell ID from GDMA_REGISTER_DEVICE response

As a part of MANA hardening for CVM, add validation for the doorbell
ID (db_id) received from hardware in the GDMA_REGISTER_DEVICE response
to prevent out-of-bounds memory access when calculating the doorbell
page address.

In mana_gd_ring_doorbell(), the doorbell page address is calculated as:
  addr = db_page_base + db_page_size * db_index
       = (bar0_va + db_page_off) + db_page_size * db_index

A hardware could return values that cause this address to fall outside
the BAR0 MMIO region. In Confidential VM environments, hardware responses
cannot be fully trusted.

Add the following validations:
- Store the BAR0 size (bar0_size) in gdma_context during probe.
- Validate the doorbell page offset (db_page_off) read from device
  registers does not exceed bar0_size during initialization, converting
  mana_gd_init_registers() to return an error code.
- Validate db_id from GDMA_REGISTER_DEVICE response against the
  maximum number of doorbell pages that fit within BAR0.

Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260306211212.543376-1-ernis@linux.microsoft.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

drivers/net/ethernet/microsoft/mana/gdma_main.c		diff \| blob \| blame \| history
include/net/mana/gdma.h		diff \| blob \| blame \| history